Page authors

k

Companies Back Initiative to Support OpenSSL and Other Open-Source Projects

By Nicole Perlroth
April 24, 2014 8:00 am
April 24, 2014 8:00 am

SAN FRANCISCO — The nonprofit Linux Foundation and more than a dozen prominent technology companies are to announce an initiative on Thursday to fund crucial open-source projects.

Chief among those projects will be OpenSSL, the Internet security method used by millions of web servers and Internet-connected devices. Researchers recently discovered a major flaw in OpenSSL that they called Heartbleed.

Amazon, Cisco, Dell, Facebook, Fujitsu, Google, IBM, Intel, Microsoft, NetApp, Rackspace, Qualcomm and VMWare have each pledged $100,000 a year over the next three years to the Core Infrastructure Initiative, the effort organized by the Linux Foundation, which supports the popular Linux computer operating system.

Each backer will select representatives to sit on a steering committee along with open-source developers and academics. The committee will direct money to open-source projects. In turn, the money will be used to fund fellowships for developers to work on open-source projects full time. It will also pay for security audits, computing and testing infrastructure, travel, and coordination among companies that may be working on similar projects.

The Core Infrastructure Initiative will start with OpenSSL. Despite its widespread use, OpenSSL is managed by only one full-time developer and a small, volunteer staff.

Open-source projects are usually software development efforts organized and run by volunteers, connected on the Internet, who work together to build, maintain and improve free software. Ideally, they check one another’s work in a peer review system. It has led to the creation of widely used software like Linux and the web browser Firefox.

But security experts and even the open-source movement’s biggest advocates acknowledge that Heartbleed revealed that some crucial open-source systems are underfunded and suffering from a lack of resources.

In an interview on Wednesday, Jim Zemlin, the executive director of the Linux Foundation, said the most significant issue was a lack of awareness regarding which open-source projects needed what, something he said the Core Infrastructure Initiative will help address.

“This is not just about the money, but the forum,” Mr. Zemlin said. “Instead of responding to a crisis retroactively, this is an opportunity to identify crucial open-source projects in advance. Right now, nobody is having that conversation, and it’s an important conversation to have.”

The Core Infrastructure Initiative is one of many such projects to be discussed since the Heartbleed bug was made public two weeks ago.

The early open-source advocate Eric S. Raymond and other leaders in the open-source community like Paul Vixie, founder of the Internet Systems Consortium, a nonprofit Internet “action tank,” have been discussing a similar initiative called the Internet Civil Engineering Institute.

The idea was to fund security audits of crucial open-source software like OpenSSL and the Internet Time Service protocol, which synchronizes computer times over the Internet. It is used by major financial exchanges and maintained by one developer in Maryland.

“The problem is the usage volume of the Internet is going way up and the Internet’s complexity is going up — straining this volunteer cadre of developers,” Mr. Raymond said in an interview last week. “This is a recipe for serious trouble down the road.”

PhotoAs part of the response to the Heartbleed bug, t-shirts bearing the slogan, “I Heartbleed OpenSSL,” are being sold online, with the proceeds going to the OpenSSL project.Credit Screenshot via SlashDB.com

Heartbleed has also prompted a number of volunteers from OpenBSD, another open-source project, to comb through OpenSSL code in order to find mistakes and fix them.

Elsewhere, some were making T-shirts that say “I Heartbleed OpenSSL,” featuring the Heartbleed logo, selling them online and donating some of the proceeds to the OpenSSL project.

Steve Marquess, who runs the OpenSSL Software Foundation, which finds contract work for OpenSSL developers, said last week that the OpenSSL Project had received more than $17,000 in donations since Heartbleed was exposed, most of that from individuals. He noted that the biggest donation, as of last Friday, was $300 and the smallest was 2 cents (which unfortunately had been donated through PayPal, which took both cents).

But this week, the project hoped to bypass PayPal fees by accepting donations using another open-source method: Bitcoin.